2016 • In SYMEONIDIS, Iraklis (Ed.) Proceedings of the 2nd International Conference on Information Systems Security and Privacy, ICISSP 2016, Rome, Italy, February 19-21 2016.
[en] Third-party apps enable a personalized experience on social networking platforms; however, they give rise to privacy interdependence issues. Apps installed by a user’s friends can collect and potentially misuse her personal data inflicting collateral damage on the user while leaving her without proper means of control. In this paper, we present a multi-faceted study on the collateral information collection of apps in social networks. We conduct a user survey and show that Facebook users are concerned about this issue and the lack of mechanisms to control it. Based on real data, we compute the likelihood of collateral information collection affecting users; we show that the probability is significant and depends on both the friendship network and the popularity of the app. We also show its significance by computing the proportion of exposed user attributes including the case of profiling, when several apps are offered by the same provider. Finally, we propose a privacy dashboard concept enabling users to control the collateral damage.
Disciplines :
Computer science
Author, co-author :
SYMEONIDIS, Iraklis ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Tsormpatzoudi, Pagona
Preneel, Bart
External co-authors :
yes
Language :
English
Title :
Collateral Damage of Online Social Network Applications
Publication date :
2016
Event name :
2nd International Conference on Information Systems Security and Privacy
Event date :
19-21 February, 2016
Audience :
International
Main work title :
Proceedings of the 2nd International Conference on Information Systems Security and Privacy, ICISSP 2016, Rome, Italy, February 19-21 2016.
95/46/EC (Accessed April 15, 2015). Directive 95/46/ec of the european parliament and of the council. http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46part1en.pdf.
Biczók, G. and Chia, P. H. (2013). Interdependent privacy: Let me share your data. In Financial Cryptography and Data Security - 17th International Conference, FC 2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers, pages 338-353.
Boyd, D. and Ellison, N. (2008). Social Network Sites: Definition, History, and Scholarship. Journal of Computer-Mediated Communication, 13 (1).
Chaabane, A., Ding, Y., Dey, R., Ali Kaafar, M., and Ross, K. (2014). A Closer Look at Third-Party OSN Applications: Are They Leaking Your Personal Information? In Passive and Active Measurement conference (2014), Los Angeles, États-Unis. Springer.
Chaabane, A., Kaafar, M. A., and Boreli, R. (2012). Big friend is watching you: Analyzing online social networks tracking capabilities. WOSN '12, pages 7-12, New York, NY, USA. ACM.
Chia, P. H., Yamamoto, Y., and Asokan, N. (2012). Is this app safe? A large scale study on application permissions and risk signals. In WWW, Lyon, France. ACM.
Consumerreports (Accessed on Sept. 6, 2012). Facebook and your privacy: Who sees the data you share on the biggest social network? http://bit.ly/1lWhqWt.
Diaz, C. and Gürses, S. (2012). Understanding the landscape of privacy technologies. Proc. of the Information Security Summit, pages 58-63.
Enck, W., Gilbert, P., Chun, B., Cox, L. P., Jung, J., Mc- Daniel, P., and Sheth, A. (2014). Taintdroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM, 57 (3): 99-106.
Facebook (Accessed February 08, 2015). Facebook privacy settings and 3rd parties. https://developers.facebook.com/docs/graphapi/reference/user/.
Frank, M., Dong, B., Felt, A., and Song, D. (2012). Mining permission request patterns from android and facebook applications. In ICDM, pages 870-875.
FTC (Accessed February 08, 2015). FTC and Facebook agreement for 3rd parties wrt privacy settings. http://www.ftc.gov/sites/default/files/ documents/cases/2011/11/111129facebookagree.pdf.
Huber, M., Mulazzani, M., Schrittwieser, S., and Weippl, E. R. (2013). Appinspect: large-scale evaluation of social networking apps. In Conference on Online Social Networks, COSN'13, Boston, MA, USA, October 7-8, 2013, pages 143-154.
Krishnamurthy, B. and Wills, C. E. (2008). Characterizing privacy in online social networks. WOSN '08, pages 37-42, New York, NY, USA. ACM.
Liu, K. and Terzi, E. (2010). A framework for computing the privacy scores of users in online social networks. TKDD, 5 (1): 6.
Maximilien, E. M., Grandison, T., Liu, K., Sun, T., Richardson, D., and Guo, S. (2009). Enabling privacy as a fundamental construct for social networks. In Proceedings IEEE CSE'09, 12th IEEE International Conference on Computational Science and Engineering, August 29-31, 2009, Vancouver, BC, Canada, pages 1015-1020.
McCarthy, C. (Accessed Apr. 9, 2014). Understanding what Facebook apps really know (FAQ). http://cnet.co/1k85Fys.
Minkus, T. and Memon, N. (2014). On a scale from 1 to 10, how private are you? Scoring Facebook privacy settings. In Proceedings of the Workshop on Usable Security (USEC 2014). Internet Society.
Nebel, M., Buchmann, J., Ronagel, A., Shirazi, F., Simo, H., and Waidner, M. (2013). Personal information dashboard: Putting the individual back in control. Digital Enlightenment.
Nepali, R. K. and Wang, Y. (2013). SONET: A social network model for privacy monitoring and ranking. In 33rd International Conference on Distributed Computing Systems Workshops (ICDCS 2013 Workshops), Philadelphia, PA, USA, 8-11 July, 2013, pages 162-166.
Ngoc, T. H., Echizen, I., Komei, K., and Yoshiura, H. (2010). New approach to quantification of privacy on social network sites. In Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on, pages 556-564. IEEE.
Nicolás, N. M., Carmela, T., Pagona, T., Fanny, C., and Daniel, L. M. (Accessed May 04, 2015). "Deliverable 5.1 : State-of-play: Current practices and solutions." FP7 PRIPARE project. http://pripareproject.eu/wpcontent/uploads/2013/11/D5.1.pdf.
Parliament, E. (Accessed May 04, 2015). European parliament legislative resolution of 12 march 2014 on the proposal for a regulation. http://www.europarl.europa.eu/sides/getDoc.do?pbRef=-//EP//TEXT+TA+P7-TA-2014-0212+0+DOC+XML+V0//EN.
Pu, Y. and Grossklags, J. (2014). An economic model and simulation results of app adoption decisions on networks with interdependent privacy consequences. In Decision and Game Theory for Security - 5th International Conference, GameSec 2014, Los Angeles, CA, USA, November 6-7, 2014. Proceedings, pages 246-265.
Sánchez, D. and Viejo, A. (2015). Privacy risk assessment of textual publications in social networks. In Loiseau, S., Filipe, J., Duval, B., and van den Herik, H. J., editors, ICAART (1), pages 236-241. SciTePress.
SBA-Research (Accessed Sept 09, 2015). Appinspect: A framework for automated security and privacy analysis of osn application ecosystems. http://ai.sbaresearch.org/.
Statista (Accessed Sept 09, 2015). Leading social networks worldwide as of august 2015, ranked by number of active users (in millions). http://www.statista.com/statistics/272014/globalsocial- networks-ranked-by-number-of-users/.
Sweeney, L. (2000). Simple demographics often identify people uniquely. Health (San Francisco), 671:1-34.
Viejo, A. and Sánchez, D. (2015). Enforcing transparent access to private content in social networks by means of automatic sanitization. Expert Syst. Appl., 42 (23): 9366-9378.
Wang, Y., Komanduri, S., Leon, P., Norcie, G., Acquisti, A., and Cranor, L. (2011). I regretted the minute I pressed share: A qualitative study of regrets on Facebook. In SOUPS.
